Let's say you want to send a message to someone which has to go through a public place. How can you make sure only your recipient can read it? This is the inherent problem with the web. If you're reading a web page which has to be transmitted across cables owned or controlled by the government, for example, how can you stop them from reading what you have to say? How can you store a file on your hard drive without it being read by others, even if you "delete" it? Encrypt it.
What I'm going to teach you today is asymmetric public key encryption. Sounds complicated, right? Don't worry, it's simple: there's a private key and a public key. That's it. The public key is deliberately made public and can be used by anyone. The private key stays with you. When someone wants to send a message to you, they encrypt it using [i]your[/i] public key, which creates a whole mess of gibberish text that nobody can read except for you. Which is great because then you can leave it anywhere you want. When you want to read it, you just decrypt it using your private key. Easy. Let's begin.
[b][u]OpenPGP[/u][/b]
OpenPGP is a standard for encryption, and is the one we'll be using here. It is implemented in [url=http://www.gpg4win.org/]GPG4Win[/url], which is a port of [url=https://www.gnupg.org/]GnuPG[/url] on *nix. There is also a package available for [url=http://gpgtools.org/]Macs[/url] too. Grab the right one; I'll assume you're using Windows, though.
When you're up to choosing the components to install (you don't have to install all of them), choose GPA and/or Kleopatra. Also choose GpgEX if you want the extra right-click context menu options to encrypt/decrypt files, etc... GpgOL will add an add-on to Outlook if you use it so you can encrypt, decrypt, and sign emails.
When it's done, open up GPA under Gpg4win in your start menu and go to Keys > Preferences. Make sure "Use advanced mode" and "Show advanced options" are both checked. Next, go to Keys > New Key. Choose RSA as the algorithm, and the largest key size (currently GPA lets you choose 3072, but Kleopatra lets you go up to 4096 bits). Put in your name (for the purposes of this demo, use your bungie.net username), email address (just put in [i][your bungie.net username][/i]@bungie.net), a comment if you want to leave one, and whether your key should expire after a certain date (or that it should be valid forever). Then enter a passphrase to protect your private key.
After your keys have been created, they're only going to exist locally on your computer, so you need to distribute your [i]public key[/i] for others to use. If you want to change where your key will be uploaded to (they get shared anyway), go back to the preferences popup, and change the Default keyserver. I use hkp://pgp.mit.edu. A key server is a place where you can store your public keys and retrieve others'. When you're ready, right click on your new key in the Key Manager and hit "Send Keys" to send your public key to a key server. Once your key has been sent, you should be able to search for it. If you sent it to MIT's server, you can look it up [url=http://pgp.mit.edu/]here[/url]. In fact, [url=http://pgp.mit.edu/pks/lookup?op=get&search=0xC96CB05502122932]here's mine[/url].
[b][u]Encrypt[/u][/b]
Now for the fun stuff. Since I've given you my public key, try encrypting something and post it as a reply. Only I will be able to read it. First, go to the link above where my key is and select all of the "key block" text, including the hyphens, and copy it. Go back to GPA and go to Edit > Paste. You should now have my key there in your key manager.
Go to Windows > Clipboard and type out your message. When you're finished, hit encrypt and then choose my key from the list of public keys. Ignore signing for now - you can read up on it later if you want. When you're ready to encrypt, hit OK. You should get a message asking if you know the key you're about to use really is mine. If you've made it this far, you should know the answer, but consider the possibility if you accidentally used someone else's key to encrypt something confidential and they managed to get a hold of the encrypted text - they could decrypt it.
When you're done, you should get a block of text between a set of hyphens (BEGIN and END PGP message). This is the "gibberish" I referred to earlier (technically called ciphertext). Just as before, copy everything between and including the begin and end lines and paste it as a reply. Again, only the recipient - me - will be able to read it, which is why it's safe to post the ciphertext publicly.
Next up, decryption.
[b][u]Decrypt[/u][/b]
Hopefully by now you've created your keys, distributed the public key, and posted a link to it. When someone has encrypted a message for you to read, you need to decrypt it to get it back to normal.
Copy the encrypted message (again, everything between and including the begin and end PGP message lines), and paste it into GPA's Clipboard through Windows > Clipboard. Click the Decrypt button and, assuming you have your private key set up properly, you'll get a prompt for your passphrase you entered earlier when you created your keys. Enter it, and that's it! The message will be decrypted for you to read.
[b][u]etc...[/u][/b]
This is a really, [i]really[/i] simple way for people to make sure their messages are secure, and it can be used by anyone ([url=https://play.google.com/store/apps/details?id=org.thialfihar.android.apg]even on your phone![/url]). If you have a private email address or send private emails (or at least [i]want[/i] to send private emails), this should be very appealing to you. Don't hesitate to create another pair of keys for yourself and to get others to do the same.
If you still have your keys in the key manager from this demo, you can delete them locally (which will also delete your private key), but your public key will remain on the key server(s). To void it (eg. if your keys are compromised), you need to publish a revocation certificate, but I'll let you investigate further for how to do that and [url=https://www.google.com/search?q=gpg4win+faq]other things[/url].
Don't think this is limited just to forums and email though, because you can use it for anything, including to encrypt files on your computer using your own public key. This is great because it can help where you might want to keep something on your hard drive (or USB!) secret and secure - even from computer forensics. Now you might be wondering what happens if your computer is seized as evidence. As far as the law is concerned, using encryption is absolutely legal, but [url=https://en.wikipedia.org/wiki/Key_disclosure_law]there are laws[/url] in a number of countries which compels you to disclose your keys (who knows what happens if you say you forgot...), but that should give you a good idea of just how strong this is.
-
I WILL DO THIS LATER... MAYBE.